Boards are getting savvy when it comes to security and risk.

A recent Gartner report shows that although Board interest in security has risen only 37% feel confident their companies are properly secured against cyberattacks. Less than half are confident or very confident in the organization’s ability to manage cyber risk.

Board members are concerned and rightly so. Many are required to know how the organization is performing to comply with regulations that can hold them liable if they fail to do so.

Your job is to communicate risk to the board in terms of the broader business implications.

? How does it impact operations?

? What’s the cost now and possible future costs or revenue losses?

? What’s the risk in terms of market, compliance, innovation, security, and reputation?

Be prepared before you approach the board. Do your research. Consider their view of what you’re going to present or discuss with them. Don’t overwhelm them with too many details. Stay high level and focus on objectives and progress. Tell the team story.

Five key questions board members care about

  1. What’s the trade-off? You’ll get this question when a board member wants to make a decision but doesn’t have enough information yet. By asking about the trade-off they’re prompting you for ad-hoc analysis of the pros and cons of a potential decision. Reinforce the objective and what’s being done to achieve it.
  2. What’s the broader landscape look like? This question helps put what you’re saying into perspective. Where possible, compare your company’s progress with others in your industry. Board members educate themselves with threat reports, blogs, and news. Be prepared to discuss how you are tracking these trends and whether actions are underway or planned to move the company forward or mitigate the risk.
  3. What’s the risk? The board members are responsible for accepting risk within reasonable limits. Risks outside these limits require action whether it’s mitigation or otherwise. It’s your job to provide them with recommendations. If you must bring a problem before the board, always have recommendations and be prepared to discuss them.
  4. How is performance? This question indicates that the board is looking for assurance from you. Be prepared to explain any delays and highlight what’s being done to correct the situation. Highlight progress. And, always tie your discussions back to key business objectives.
  5. What’s our response? This is another opportunity to provide assurance to the board. Keep this high level. Identify gaps. List mitigations. Outline steps. Be prepared to accept their input.

Remember, it’s the board’s responsibility to make decisions for the organization. Your job is to present them with the information they need to do that.

Want to improve how you identify, manage and communicate risk? Schedule a quick call with Charlene to find out how you can improve your risk conversation. Charlene@fismacs.com (301) 346-3752.

New Managing Risk Paper

X